QUESTIONS FOR UNESCO'S COMPREHENSIVE STUDY ON INTERNET RELATED ISSUES
Submitted by admin on Fri, 27/06/2014 23:32
From now until November 2014, UNESCO is asking for inputs and research around this global questionnaire on Internetrelated issues in the four areas of access to information and knowledge, freedom of expression, privacy, and ethical dimensions of the information society. The questions also explore the intersections between these areas and options for future UNESCO action in these fields.
The findings, on topics which relate to UNESCO’s mandate, will feed into a comprehensive Internetrelated study mandated by UNESCO’s 195 Member States through Resolution 52 of the Organization’s 37th General Conference (November 2013).
Contributions can be submitted through this open online questionnaire or at the many conferences where UNESCO organizes consultation events. Other comments and questions can be sent to [email protected]
NOTE: Your written contribution will be published on the UNESCO website after submission.
Name EPHRAIM PERCY KENYANITO
Gender * Male
Email *[email protected]
Category of Stakeholder * Civil Society and NGOs including individual users
Others: please specify
Name of Organization or affiliation: Access (AccessNow.Org)
Country * Kenya
Region * Africa
1
Access (AccessNow.org) is an international organization that defends and extends the digital rights of users at risk around the world. By combining innovative policy, user engagement of our global community of nearly half a million members around the world, and direct technical support we fight for open and secure communications for all. We welcome this opportunity to submit comment on UNESCO’s Internet Universality study. Given the breadth of the study’s questions, we have chosen to focus on a subsection of questions that most directly pertain to our mandate.
For any questions or comments please contact Access Policy Director Jochai BenAvie ([email protected]) or Policy Fellow Ephraim Kenyanito ([email protected]).
A. Questions related to the field of Access to information and knowledge
1.What can be done to reinforce the right to seek and receive information in the online environment?
Access notes that a recently (November 2014) released survey of Internet users in 24 countries has found that 83% believe affordable access to the internet should be a basic human right, according to the “CIGIIpsos Global Survey on Internet Security and Trust.” This overwhelming sentiment speaks to the fact that the internet is perhaps the greatest democratizing force in the history of the fight to realize Article 19 of the ICCPR, enabling billions to seek, receive, and impart information like never before.
Yet, even as more and more individuals come online for the first time, freedom of expression online is under unprecedented threat, particularly from threats of surveillance, net discrimination and censorship. To reinforce this right, existing protections must be enforced and new policies and regulations are needed to ensure adequate protection of this fundamental freedom.
A. Surveillance
As the former UN Special Rapporteur on Freedom of Expression Frank La Rue noted in a report last year:
The right to privacy is often understood as an essential requirement for the realization of the right to freedom of expression. Undue interference with individuals’ privacy can both directly and indirectly limit the free development and exchange of ideas. Restrictions of anonymity in communication, for example, have an evident chilling effect on victims of all forms of violence and abuse, who may be reluctant to report for fear of double
2
victimization. In this regard, article 17 of ICCPR refers directly to the protection from interference with “correspondence”, a term that should be interpreted to encompass all forms of communication, both online and offline. As the Special Rapporteur noted in a previous report, the right to private correspondence gives rise to a comprehensive obligation of the State to ensure that emails and other forms of online communication are actually delivered to the desired recipient without the interference or inspection by State organs or by third parties. (p. 7)
The Snowden revelations have at once revealed the staggering scope and scale of interference with the right to privacy of virtually all of the world’s users by the U.S., U.K., and other governments, while at the same time giving rise to the chilling effect on freedom of expression that La Rue describes. A recent study by the PEN America Center reveals that 28 percent of writers surveyed has “curtailed or avoided activities on social media,” with another 12 percent saying they had seriously considered doing so.
The PEN study illustrates the urgent need for surveillance reform to ensure freedom of expression online. The International Principles on the Application of Human Rights to Communications Surveillance (“the Principles”), which have been endorsed by more than 400 civil society organizations from around the world, provide a framework for assessing how international law applies when conducting communications surveillance. In a recent landmark report on “The Right to Privacy in the Digital Age,” UN High Commissioner for Human Rights Navi Pillay stated that the Principles can be considered interpretive guidance of Article 17 of the ICCPR. Simply put, state action to adopt, comply with, and implement the Principles would significantly and substantively reinforce the right to seek and receive information in the online environment.
B. Net neutrality
Critical to ensuring the internet’s continued success as a bastion of free expression, is the prevention of net discrimination, which can be understood as interference with the three core principles of net neutrality: 1) that all points in the network should be able to connect to all other points in the network (the end to end principle); 2) that all providers of the internet should make their best efforts to deliver traffic from point to point as expeditiously as possible (the best efforts principle); and 3) that everyone should be able to innovate without permission from anyone or any entity (the innovation without permission principle).
Net neutrality means that all traffic on the internet is treated on an equal basis, no matter the origin, type of content, or means (e.g. equipment or protocols) used to transmit internet traffic. Any deviation from this principle (for instance for traffic management purposes) must be
3 proportionate, temporary, targeted, transparent, and in accordance with relevant laws. If these criteria are not respected, users then face network discrimination.
It is our recommendation that UNESCO and other UN Agencies supports legislation prohibiting net discrimination as a critical means to ensuring the free flow of information online. Additional resources on net discrimination and how to ensure the protection of net neutrality and thereby the right to free expression can be found here. B. Questions related to the field of Freedom of Expression
6. What are the current and emerging challenges relevant to freedom of expression online?
To summarize, Access notes that some of the current and emerging challenges relevant to freedom of expression online include:
Invasive and disproportionate policy responses
Threats to civil society organizations, activists, citizen journalists and bloggers
Regime change and political risks that undermine digital rights
As the WSIS Forum 2012 & 2013 Booklet on Identifying Emerging Trends and a Vision Beyond 2015 notes, there are increasing challenges in addressing freedom of expression and privacy in the digital age. The liability of intermediaries and governmental surveillance also negatively impact freedom of expression and right to privacy on internet. Moreover, we have documented cyberattacks on journalists and bloggers, who are targeted specifically for the opinions they hold and express online (e.g., https://www.accessnow.org/blog/2013/06/19/accesssubmitsuprreportonvietnamcyberattack soncivilsocietyakeyc).
We are also concerned about the use of invasive and disproportionate policy responses that can imperil human rights and economic development. This is especially true of legislation enacted in the name of cybersecurity, from the U.S. (e.g., https://www.accessnow.org/blog/2014/07/15/accesscallsforpresidentobamatopledgetoveto cisa) to the African Union (e.g., https://www.accessnow.org/blog/2014/08/22/africanunionadoptsframeworkoncybersecurity anddataprotection) and elsewhere.
Access operates the only 24/7, international digital security helpline, offering realtime, direct technical assistance and advice to activists, independent media, and civil society organizations.
4
As part of this work, we have witnessed growing and varied attacks on civil society actors endangering freedom of expression.
[Adittionally, Access has also documented about fake domains attacks that impersonate civil society and news organizations and we have provided recommendations towards mitigating such attacks (https://www.accessnow.org/page//docs/FakeDomainsReport.pdf )]
7. How can legislation in a diverse range of fields which impact on the Internet respect freedom of expression in line with international standards?
Legislation impacting on free expression online should be developed in a multistakeholder fashion in line with the 2005 Tunis Agenda. Multistakeholderism is considered best practice in internet policymaking and is critical to ensuring that the public interest and human rights are defended.
While myriad international, regional, and national laws provide protections for the freedom of expression, many states fail to adequately protect this right in the online environment. In 2011, the UN Human Rights Committee issued General Comment 34, which provides authoritative guidance on this issue, and should serve as a guide to states when legislating in the digital sphere.
A 2011 Joint Statement by the United Nations (UN) Special Rapporteur on Freedom of Opinion and Expression, the Organization for Security and Cooperation in Europe (OSCE) Representative on Freedom of the Media, the Organization of American States (OAS) Special Rapporteur on Freedom of Expression and the African Commission on Human and Peoples’ Rights (ACHPR) Special Rapporteur on Freedom of Expression and Access to Information, provides further useful guidance.
Finally, as noted above, protection of the right to privacy is critical to warding against selfcensorship and chilling effects on free expression resulting from surveillance. To that end, we urge states to adopt, comply with, and implement the International Principles on the Application of Human Rights to Communications Surveillance, which former High Commissioner for Human Rights Navi Pillay has stated can be considered interpretive guidance of Article 17 of the ICCPR.
8. Is there a need for specific protections for freedom of expression for the Internet?
As the UN Human Rights Council affirmed in a resolution in 2012 (A/HRC/RES/20/8), “the same rights that people have offline must also be protected online, in particular freedom of expression, which is applicable regardless of frontiers and through any media of one’s choice, in
5 accordance with articles 19 of the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights”
The right to freedom of expression is enshrined in myriad national, regional, and international human rights frameworks and there already exists significant guidance from the UN Human Rights Committee and the various special rapporteurs on the right to freedom of expression in regard to the protection of this fundamental freedom. To that end, there is not so much a need for new, specific protections for freedom of expression online, as much as there is a need for the enforcement and protection of this right in online environment. C. Questions related to the field of Privacy
12. What principles should ensure respect for the right to privacy?
The International Principles on the Application of Human Rights to Communications Surveillance (“the Principles”), which have been endorsed by more than 400 civil society organizations from around the world, provide a framework for assessing how international law applies when conducting communications surveillance. In a recent landmark report on “The Right to Privacy in the Digital Age,” UN High Commissioner for Human Rights Navi Pillay stated that the Principles can be considered interpretive guidance of Article 17 of the ICCPR.
The Principles have also been cited by President Obama’s Review Group on Intelligence and Communications Technologies in expressing doubt that metadata deserves less protection than other forms of content. Some of the most prominent technology companies in the world, including Microsoft, Google, and Yahoo, have publicly supported a separate framework that largely echoes the Principles, and both Sweden and the United States have used the Principles as a basis for human rights frameworks adopted internally.
The following is a summary of the 13 International Principles on the Application of Human Rights to Communications Surveillance:
LEGALITY Any limitation on the right to privacy must be prescribed by law.
LEGITIMATE AIM Laws should only permit Communications Surveillance by specified State authorities to achieve a legitimate aim that corresponds to a predominantly important legal interest that is necessary in a democratic society.
6
NECESSITY Laws permitting Communications Surveillance by the State must limit surveillance to that which is strictly and demonstrably necessary to achieve a Legitimate Aim.
ADEQUACY Any instance of Communications Surveillance authorised by law must be appropriate to fulfill the specific Legitimate Aim identified and effective in doing so.
PROPORTIONALITY Decisions about Communications Surveillance must consider the sensitivity of the information accessed and the severity of the infringement on human rights and other competing interests.
COMPETENT JUDICIAL AUTHORITY Determinations related to Communications Surveillance must be made by a competent judicial authority that is impartial and independent.
DUE PROCESS States must respect and guarantee individuals' human rights by ensuring that lawful procedures that govern any interference with human rights are properly enumerated in law, consistently practiced, and available to the general public.
USER NOTIFICATION Individuals should be notified of a decision authorising Communications Surveillance with enough time and information to enable them to challenge the decision or seek other remedies and should have access to the materials presented in support of the application for authorization.
TRANSPARENCY States should be transparent about the use and scope of Communications Surveillance laws, regulations, activities, powers, or authorities.
PUBLIC OVERSIGHT States should establish independent oversight mechanisms to ensure transparency and accountability of Communications Surveillance.
INTEGRITY OF COMMUNICATIONS AND SYSTEMS States should not compel service providers, or hardware or software vendors to build surveillance or monitoring capabilities into their systems, or to collect or retain particular information purely for State Communications Surveillance purposes.
SAFEGUARDS FOR INTERNATIONAL COOPERATION Mutual Legal Assistance Treaties (MLATs) entered into by States should ensure that, where the
7 laws of more than one State could apply to Communications Surveillance, the available standard with the higher level of protection for individuals should apply.
SAFEGUARDS AGAINST ILLEGITIMATE ACCESS States should enact legislation criminalising illegal Communications Surveillance by public and private actors.
For more information and to see the full text of the Principles, please see https://www.necessaryandproportionate.org/text.
13. What is the relationship between privacy, anonymity and encryption?
Former UN Special Rapporteur on Freedom of Expression Frank La Rue noted in his report (A/HRC/23/40):
In order for individuals to exercise their right to privacy in communications, they must be able to ensure that these remain private, secure and, if they choose, anonymous. Privacy of communications infers that individuals are able to exchange information and ideas in a space that is beyond the reach of other members of society, the private sector, and ultimately the State itself. Security of communications means that individuals should be able to verify that their communications are received only by their intended recipients, without interference or alteration, and that the communications they receive are equally free from intrusion. Anonymity of communications is one of the most important advances enabled by the Internet, and allows individuals to express themselves freely without fear of retribution or condemnation. (p. 7)
Any restrictions on the right to privacy, according to the Special Rapporteur, should be subject to the same “permissible limitations” test as the right to freedom of expression. Pursuant to General Comment no. 34 of the Human Rights Committee, such “permissible” restrictions must be provided by law; strictly serve a legitimate aim (respect of the rights and reputations of others, protection of national security or of public order, or of public morals or health, as defined by G.C. 34); and meet a high standard of legality, proportionality, and necessity.
As we argued in a recent intervention at the Grand Chamber of the European Court of Human Rights in the case of Delfi v Estonia:, regulations that penalize or limit anonymous speech prohibit the speaker from omitting their identity from their expression. Applying the test, we find that restrictions on anonymous expression apply disproportionately, to all potential speakers; do not strictly serve any particular aim; and are not necessary to achieve any legitimate aim. Thus, the restrictions do not meet the test in G.C. 34, the official interpretation of the ICCPR.
Further, blanket restrictions on anonymous and pseudonymous expression impair the very essence of the rights to privacy and freedom of expression. Those from atrisk groups, whether 8 domestic abuse victims, political minorities, or corporate whistleblowers, are often those speaking out against injustice and giving unpopular opinions. By imposing this prior restraint on speech, governments force wouldbe speakers to relinquish privacy, putting them in danger of retaliation. As a result, many wouldbe speakers may choose not to express themselves. The bounds of public debate would shrink to those without motive or reason to conceal their identities, and this chilling effect would prevent crucial ideas and information from reaching the public.
Encryption provides a critical means to protecting the security of communications and ensuring the protection of the rights to privacy and freedom of expression (including anonymous speech).
In March 2014, Access launched the “Encrypt All the Things” campaign (https://encryptallthethings.net// ). In the wake of the continued disclosures regarding government mass surveillance, the majority of the surveillance reform conversation has revolved around the need for increased transparency. While transparency is a critical step revealing the scope and scale of government interference with the right to privacy, many of these same disclosures highlight the ease by which unauthorized actors can access large amounts of personal information without any judicial process or oversight.
The centerpiece of the Encrypt All the Things campaign is the “Data Security Action Plan,” seven securityenhancing steps that every internet platform should take to increase the level of protection for individual information sent and stored on the internet. These protections will help prevent unauthorized access, and move state actors like the NSA and other intelligence and law enforcement agencies toward using proper, legal channels to obtain personal information.
The socalled “DSAP7” has public support from companies like Twitter, Dropbox, DuckDuckGo, and KeepSafe, as well as the Electronic Frontier Foundation, the Open Technology Institute, PEN America, and other civil society groups.
The full text of the DSAP7 and more information about the Encrypt All The Things campaign can be found at https://www.encryptallthethings.net.
15. What kinds of arrangements can help to safeguard the exercise of privacy in relation to other rights?
As the UN Guiding Principles on Business and Human Rights makes clear, states have a duty to protect and corporations have a responsibility to respect human rights, and this applies to privacy as it does all other rights. Indeed, arrangements involving both state and local actors are needed to ensure adequate protection of this right. When states rely on a patchwork of laws to safeguard privacy, conflicts with other rights often emerge. To this end, Access believes that comprehensive data protection and electronic privacy laws are critical to ensuring legal clarity
9 and appropriate protections for privacy while allowing the free exercise of freedom expression and other rights.
In addition to comprehensive legal frameworks, dedicated institutional infrastructure and empowered independent experts, such as data protection authorities, data protection supervisors, national ombudsmen, consumer watchdogs, amongst others.
National Action Plans implementing the UN Guiding Principles on Business and Human Rights can also serve as a useful and effective guide to companies in better understanding their responsibilities with regards to safeguarding user privacy. So far, the UK, Finland, Denmark, Italy, the Netherlands, and Spain have NAPs and there are many more that are in the works. The International Corporate Accountability Roundtable (ICAR) has developed several resources around such NAPs which can be found here and here.
Arrangements and frameworks encouraging transparency reporting detailing the scope and scale of requests for user data are also critical to safeguarding the right to privacy. Transparency reporting is becoming the norm for the tech sector. Around 40 companies have released the reports, which are becoming more comprehensive and global in scope. The reports show the scale of online surveillance, network disruptions, content removal, and other practices impacting rights online. The Access Transparency Reporting Index collates all of the transparency reports that have been released by internet platforms and telcos to date, and will be continuously updated with new data.
And these reports are powerful — they can even influence government policy. For example, Vodafone’s recent report may have led Ireland’s Department of Justice to release data that it made 10,000 requests for stored data last year. It’s worth noting that reporting is a twoway street for corporations and governments — both must issue transparency reports to provide checks and balances on the data, and to portray a more complete picture of privacy and free expression online.
Finally, while not an arrangement per se, a new general comment by the UN Human Rights Committee on the right to privacy reflecting the exigencies and challenges of the digital age – similar to General Comment 34 on the Right to Freedom of Expression – would be particularly valuable. Similarly, the creation of a new special procedures mandate on the right to privacy, as the UN General Assembly recently encouraged the Human Rights Council to consider, would provide dedicated and continuing guidance to all actors on how to appropriately and adequately protect this right.
16. How can openness and transparency of data be reconciled with privacy?
10
Openness and transparency of data is not inherently at odds with the right to privacy. As regards personal data or data about individuals, acquiring explicit, informed, and affirmative consent for use and disclosure of these data and limiting use for the purpose for which that consent has been given, allows for both openness and privacy.
Moreover, as detailed in the previous question, transparency reporting on requests for user data actually may help to safeguard the right to privacy, by helping users to have a better understanding of the scope and scale of interference with their privacy, as well as contributing to a more informed public debate on the appropriate limits of surveillance. The same could be said for disclosure of policies and practices around data processing and handling.
While transparency reports and other forms of disclosure can help to shed disinfecting light on a dark privacy landscape, transparency alone is not sufficient to ensure adequate protection of the right to privacy.
For further reference, a panel at the 2011 Internet Governance Forum hosted by Access explored in depth the question of “Privacy and Security in an Open/Realtime/Linked Data World.” The report and transcript of that session can be found here.
17. What may be the impact of issues relating to big data on respect for privacy?
Access has previously cited a study by Cambridge University (https://www.sciencenews.org/article/facebook%E2%80%98likes%E2%80%99canrevealuser s%E2%80%99politicssexualorientationiq ) that demonstrated that everything from sexuality, political beliefs, age, intelligence level, and gender can be determined through an analysis of Facebook ‘likes’.
The growth in largescale collection, retention, transfer, and analysis of personal data places everyone’s privacy at risk. All types of organizations consumerfacing companies, third party data brokers, government agencies, and others develop comprehensive profiles at times containing identifying information, such as names, addresses, and phone numbers, as well as buying habits, personal interests, ethnic identities, political affiliations, marital status, credit card details, and numerous other data points. Enough information is often collected that even anonymous information can be reidentified easily. In one highprofile case, reporters were able to identify several anonymous users based solely on their AOL search history, which had been publicly released. Information in one user's records provided detailed information on her medical history and love life.
There has been an exponential increase in the amount of data collected and stored by private companies in recent years. Facebook announced in 2012 that its data center had grown 2500x since 2008. By 2012, Facebook was collecting about 180 petabytes of data per year. For
11 reference, one petabyte is the equivalent of 20 million 4drawer filing cabinets filled with text. Retailers, whether focused at online markets or off, also track customers. It is estimated that in one hour WalMart processes about 1 million customer transactions containing 2.5 petabytes of data.
"Free” services offered by companies are often possible because these practices are part of a business model that relies on interpreting highquality data about their users in order to serve revenuegenerating targeted advertising. And over the years, many of these same internet companies have “simplified” their privacy policies by eliminating granular usercontrols while increasing the capacity to track each and every online action.
Data collection practices have been connected to specific practices that negatively impact internet users. For example, in 2012, it was discovered that some online travel booking companies, including Orbitz Worldwide Inc., were charging customers using Apple products close to 30% more for flights and hotels than visitors using Windows. Such digital market manipulation leads to economic and privacy harms. A recent breach of Target’s systems is estimated to have affected up to one third of all Americans. Ensuring that citizens have adequate knowledge and control over their data would greatly reduce the privacy and other human rights risks associated with big data. Currently, comprehensive standandards apply to medical and financial data, but not other types of sensitive information.
It is not only private entities where data collection has skyrocketed. Recent revelations have shown that US government intelligence agencies have been implementing programs to collect personal information and communications of users around the world at unprecedented levels. Some of these programs are implemented through legal processes, which compel companies to produce user information that the companies have otherwise collected for their own purposes. These collection programs are overseen by the secret FISA Court, which issues orders requiring production while preventing companies from publicly revealing that the collection has occurred.
Under other programs, often authorized under Section 702 of the FISA Amendments Act and Executive Order 12333, the US is tapping fiber optic cables directly (BLARNEY, OAKSTAR, STORMBREW, FAIRVIEW), breaking into the private links between corporate data centers (e.g., MUSCULAR), or collecting the content of a whole country’s phone calls (e.g., MYSTIC/RETRO). Given the preponderance of attacks on the US Government, these mass surveillance places a tremendous amount of users and user data at risk.
II. The Problem of Unauthorized Access
Once collected, bad data security practices have led to the unauthorized access to and use of personal information, compromising users around the world. Data breaches are increasing in frequency. Last year saw the highest total records breached, according to a report by Risk Based
12
Security. In one incident, attackers obtained records with email addresses and passwords from around 152 million Adobe accounts. In another breach, approximately 110 million Target accounts, about a third of the US, were affected by a data breach. While the Adobe and Target breaches are two of the largest known breaches to date, data continues to be compromised with such great frequency that these incidents account for only a small portion of the total data that is known to have been exposed in 2013. Indeed, last year there were 2,164 incidents of data breaches with 822 millions records exposed reported worldwide. Attacks against US entities accounted for nearly half of all breaches globally.
Unauthorized access to user data is not a new problem. For the past 12 years, identity theft has been the biggest source of complaints to the Federal Trade Commission, which underlines that the identity and finances of citizens are consistently at risk due to needless collection practices and insufficient security practices employed by companies online. The economic impact of data breaches, and the accompanying reputational and legal fallout, is undoubtedly huge. Target spent $61 million in breach related costs in the first three months after the breach, which experts estimate may grow to as high as $1 billion. Target’s data breach is expected to be so expensive, in part, because it revealed data placing credit at risk. That might be good for credit monitoring agencies, but it can create everyday challenges for victims when they try to get a mortgage, get a credit card, or buy a car. Data breaches are also particularly expensive in the US for the companies who lost or had records stolen. In 2012, companies paid on average $188 per lost or stolen record. That equated to about $5.4 million in loss for each entity with a data breach.
Governments also take advantage of insecure data. While the surveillance programs discussed above often operate under a system of compelled production, others skip official channels and, instead, use back doors. One such program is the "Upstream" programs alluded to in slides released in June 2013, and later confirmed by government officials. Upstream collection takes data right off the "backbone" of the internet the wires over which information is transmitted from computer to computer. Further revelations have brought to light backbone collection by US and other governments of remotelyactivated webcam feeds, email contact lists, and information on internal company networks. It has also been revealed that the government has acted to preserve these collection programs by undermining data security standards.
Unauthorized access or use of information by governments, as well as private actors, fundamentally threatens the internet as we know it. The world’s largest internet companies build their business models around user trust in the networks that transmit and entities that store their personal data. Google’s public Chief Legal Officer David Drummond, has said, “Our business depends on the trust of our customers." More acutely at risk, U.S.based cloud computing firms spoke out after losing business following last summer’s NSA revelations, and fear losing up to $35 billion in worldwide contracts as European regulators look to tighten restrictions on the cloud. Trust is also eroded when the NSA shares data with government agencies not dealing with 13 foreign intelligence. For example, the NSA has provided evidence to the DEA, which then uses “parallel construction,” whereby agents find alternative grounds to justify arrests and skirt legal challenges. Rule of law is threatened when legal limitations fail to protect even the narrow existing privacy protections.
III. The Role of Data Security
As data are transferred from entity to entity, they become increasingly vulnerable, with more points at which unauthorized parties may be able to gain access to those data and use them for unintended purposes. Bad actors may compromise the financial or physical safety of users, and governments could use personal information to target dissidents, stifle speech, or influence political outcomes.
Access has attempted to move the global conversation on security of big data forward. In March 2014, Access released the Data Security Action Plan. In creating the Data Security Action Plan, Access considered what commonsense practices were needed to mitigate the extreme risk posed by the increasing amounts of data stored online. The Action Plan consists of seven steps that companies should take to protect their users. The seven steps are:
1. Implement strict encryption measures on all network traffic;
2. Executive verifiable practices to effectively store user data stored at rest;
3. Maintain the security of credentials and provide robust authentication safeguards;
4. Promptly address known, exploitable vulnerabilities;
5. Use algorithms that follow security best practices;
6. Enable or support the use of clienttoclient encryption; and
7. Provide user education tools on the importance of digital security hygiene.
All entities should support the implementation of these security measures on all relevant data and networks under their control. Widespread adoption would benefit all internet users around the world, and would raise the floor on minimallyacceptable data security practices. If we fail to consider data security in the debate on big data public policy, we are standardizing unacceptable risks for users, companies, and the public at large.
IV. Conclusion
To mitigate the harms of data breach and misuse and to build user trust, the global multistakeholder community should consider what steps are necessary to protect user data. Companies should take proactive steps to protect user data. Specifically, this means adopting
14 privacycentered approaches to the collection and processing of user data, including: data minimization to limit collection of data where possible; ensuring that data is collected and stored for strictly defined purposes, and not used in a way that is incompatible with those purposes; and applying appropriate security measures to data both in transit and at rest.
Accordingly, Access calls on the UNESCO to bolster data protection standards, promote data security, and continue to foster a robust discussion on best practices.
18. How can security of personal data be enhanced?
Security of personal data is a question both of policy and practice. In regards to data security in practice, Access’ Data Security Action Plan articulates seven securityenhancing steps any entity holding user data should take to safeguard user data. The seven steps are:
1. Implement strict encryption measures on all network traffic;
2. Executive verifiable practices to effectively store user data stored at rest;
3. Maintain the security of credentials and provide robust authentication safeguards;
4. Promptly address known, exploitable vulnerabilities;
5. Use algorithms that follow security best practices;
6. Enable or support the use of clienttoclient encryption; and
7. Provide user education tools on the importance of digital security hygiene.
All entities should support the implementation of these security measures on all relevant data and networks under their control. Widespread adoption would benefit all internet users around the world, and would raise the floor on minimallyacceptable data security practices.
Policies, laws, and regulations are also needed to ensure data security, in particular by articulating the appropriate limits on surveillance. As has been described elsewhere in this submission, in regards to government communications surveillance, the International Principles on the Application of Human Rights to Communications Surveillance provide interpretive guidance on how to ensure the protection of Article 17 of the ICCPR. D. Questions related to the field of Ethics
20. How can ethical principles based on international human rights advance accessibility, openness, and multistakeholder participation on the Internet?
15
At the most basic level, all actors affected by internet policymaking, including those not yet online and other underrepresented communities, should have a seat at the table. Indeed, the continued success of the internet depends on the full, equal, and meaningful participation of multiple stakeholders in technical management of and decisionmaking for information and communications technology. This concept of multistakeholderism is enshrined in the 2005 Tunis Agenda.
To enable multistakeholderism to work in practice, transparency and inclusivity in internet policymaking development, processes, and implementation is key. Operationally, this can take the form of avoiding closeddoor conversations and ensuring multistakeholder participation, making documents open to the public, holding public consultations, webcasting conferences and meetings where internet policy is discussed and facilitating remote participation, etc.
Capacity building, particularly at the national and regional level, is likewise critical to ensuring effective inclusivity. E. Broader issues
25. How do crossjurisdictional issues operate with regard to freedom of expression and privacy?
In September 2014, Access launched www.mlat.info, a website that makes it easy to explore the text and geographical scope of Mutual Legal Assistance Treaties (MLATs). These agreements facilitate the exchange of information for investigations happening across borders, dictating how users’ data is shared with foreign governments for criminal investigations and prosecutions.
A focus of MLAT.info is the need for MLAT reform (https://www.accessnow.org/blog/2014/01/09/mlatafourletterwordinneedofreform ). The existing MLAT system is outdated and fails to meet both human rights standards and requirements for information sharing between jurisdictions. President Obama’s Review Group on Intelligence and Communications Technology determined that it can take about ten months for MLAT requests made to the US to be fulfilled.
When MLAT requests linger for ten months or longer, law enforcement agencies look towards other, informal processes for the sharing of criminal information. Means of obtaining information outside of the formal MLAT system have little to no transparency or accountability. The ineffectiveness of MLATs is therefore a problem not only for law enforcement agencies but also for users who are concerned about protecting their privacy and other rights.
One step in the process of reforming the MLAT system is providing greater information on how and where MLATs operate. Users of the MLAT.info site can use a searchable map to find
16 treaties ratified by particular countries, and can consult a Policy Analysis page to discover the issues and potential reforms of the MLAT system and a Resources page which provides external information on mutual legal assistance.
27. What pertinent information materials exist that cut across or which are relevant to the four fields of the study?
At Access we have a variety of documents which are relevant to this study. They can be accessed here: https://www.accessnow.org/policy/docs
17